6

I am using a copy of Piwik, which is excellent.

For paranoia additional security, I want to place Piwik's back-end in a folder that is protected by Apache basic authentication, and whose path is hidden from prying eyes.

 http://example.com/protected/piwik
                        ^----------------- .htpasswd protected

however, now the tracking code of course no longer works!

var pkBaseURL = (("https:" == document.location.protocol) ?
"https://example.com/protected/piwik/" : "example.com/protected/piwik/");

Is there a common way of placing the Piwik back-end in a separate protected directory, but allowing the tracker to work as usual?

Pekka
  • 442,112
  • 142
  • 972
  • 1,088

2 Answers2

4

There is a better solution: use .htaccess to selectively restrict access to Piwik files: http://forum.piwik.org/read.php?2,17251

NickT
  • 795
  • 6
  • 9
0

There seems to be a workaround:

if you don't mind losing one-click updates, I think this is doable:

  • copy the core, libs, plugins, config, and tmp folders to a location outside of the piwik document root
  • run "find" to remove .php and .tpl files in those folders still in the document root in index.php and piwik.php, manually set PIWIK_INCLUDE_PATH to point to the hidden(?) folder
  • Disclaimer: untested; use a snapshot from svn (or wait for 0.4.2)

We probably won't change the build/release script, but if you come up with a patch for the Updater, we'll consider it. (You might start with defining PIWIK_DOCUMENT_ROOT, and reading a bootstrap.ini.php file, if present, to override PIWIK_INCLUDE_PATH.)

more elegant solutions are still welcomed.

Pekka
  • 442,112
  • 142
  • 972
  • 1,088